You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@apr.apache.org by bu...@apache.org on 2013/02/23 03:12:07 UTC

[Bug 54603] New: [PATCH] apr_password_validate() crypt() support unreliable as of 1.5

https://issues.apache.org/bugzilla/show_bug.cgi?id=54603

            Bug ID: 54603
           Summary: [PATCH] apr_password_validate() crypt() support
                    unreliable as of 1.5
           Product: APR
           Version: HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: APR-util
          Assignee: bugs@apr.apache.org
          Reporter: harvey.eneman@oracle.com
    Classification: Unclassified

Created attachment 29984
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=29984&action=edit
Adjust nested conditions.

If a hash begins with '$' but is not blowfish or the custom apr algorithm, I
think apr_password_validate() should still "feed it to crypt() if possible" as
it did in 1.4.6.  As presently implemented, apr_password_validate() instead
fall out and uses an uninitialized char array in a string comparison.  The
nested conditional statement appears to a programming error.  I've attached a
patch that I think adjusts the conditional statements appropriately.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

[Bug 54603] [PATCH] apr_password_validate() crypt() support unreliable as of 1.5

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54603

Rainer Jung <ra...@kippdata.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Rainer Jung <ra...@kippdata.de> ---
Thanks for the patch.
Fixed in r1449308 for apr trunk and r1449309 for apr 1.5.x.
Will be part of 1.5.2.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

[Bug 54603] [PATCH] apr_password_validate() crypt() support unreliable as of 1.5

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54603

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #29984|0                           |1
           is patch|                            |
  Attachment #29984|application/octet-stream    |text/plain
          mime type|                            |

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org